Symantec Encryption Desktop Managed Installs with the Embed policy option
With the Preset Policy Group option, it is possible to select to embed policy and license information into the installer to force the clients to be disconnected from the Symantec Encryption Management Server. If this is done, there is no connection between the client and the Symantec Encryption Management Server. The client never receives any updated policy information from the Symantec Encryption Management Server, even if the policy is updated on the server side Policy information normally downloaded during installation is instead embedded in the installer itself. The Organization Key and ADK, however are not included in embedded policies. This option is useful for Symantec Drive Encryption-only deployments, which cannot connect again to the Symantec Encryption Management Server. If a Symantec Drive Encryption deployment never connects to the Symantec Encryption Management Server, Whole Disk Recovery Tokens, along with other policy features may not be used.
NOTE: This option is not recommended for other Symantec Encryption Desktop deployments and caution should be exercised when considering this option as many product features do not work in this mode. Instead, consider enrolling a Drive Encryption-Only client at least one time so a recovery token is available. If the client never communicates with the server again, the client will continue to function as long as the license number being used never expires.
Tip: If you have clients that need to be encrypted with Drive Encryption and will never communicate with the PGP server, we recommend using "Symantec Endpoint Encryption" (as no recovery tokens will be available in this mode), which can encrypt a system and uses "Connectionless" recovery. In Connectionless Recovery, the SEE client can encrypt the hard drive, and even if it never communicates with the Encryption Server, a recovery key can be provided to unlock the machine. Symantec Endpoint Encryption is "machine based", whereas PGP is "User Based". If you own a license for PGP Drive Encryption, you are entitled to use the SEE Drive Encryption. Reach out to Symantec Enterprise Support for further assistance on this. For a Product comparison of SEE VS PGP, see the following article: 151074 - Symantec Endpoint Encryption and PGP Encryption Solutions Comparison
Special consideration should be given when using the Embed Policy option as some functionality is not available when using this feature as listed below:
|Note: The Embed Policy option is for Windows only. This feature is not intended to be used for Linux or Mac OSX. The Embed option is grayed out when attempting to download from the PGP Universal Server for Linux or Mac operating systems. A feature request has been logged for this functionality and can be viewed in article TECH197036.|
Creating a Managed Symantec Drive Encryption Installation with Embedded Policy
Changing Symantec Encryption Desktop configured client Policies
|Note: If there is a requirement to install a new Symantec Encryption Desktop configured client with the Embed option, or a Standard configured client that must contact a Symantec Encryption Management Server, be sure to delete the PGP preferences (both Embedded and Standard preference files) that are left behind as these files will interfere with the new installation and will use old settings.|
PGP Preference files for Windows XP
Embedded Preference file: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Documents and Settings\User Account\Application Data\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml
PGP Preference files for Windows 7\8:
Embedded Preference file: C:\ProgramData\PGP Corporation\PGP\PGPadmin.xml
Standard Preference files: C:\Users\User Account\AppData\Roaming\PGP Corporation\PGP\PGPprefs.xml and PGPpolicy.xml
Delete the PGP preference files after PGP has been uninstalled as these files are re-created once PGP has been run again, so make sure they are removed after the uninstall has completed.
Errors caused by the Embed policy option
If the Embed policy option has been used during the creation of a Standard configured PGP Desktop installation that must contact a PGP Universal Server, the enrollment process will not work properly and the error "Unable to connect to configuration server" can occur.
If using a Standard configured PGP Desktop installation and sending Whole Disk Recovery Tokens to the PGP Universal Server is enforced, the error "The administrative server is not available for storing the Whole Disk Recovery Token" will be displayed:
In addition to the errors displayed above, enrolling with LDAP will also be problematic. The Embedded preference policy was not designed to connect to any PGP Universal Servers. Because this connection cannot be established with the PGP Universal Server, an email address prompt will be displayed instead of LDAP credentials during LDAP enrollment. Enrollment will fail at this point and will display one or more of the errors displayed above.
The solution to the above errors when using a Standard PGP Desktop configured install that must contact a PGP Universal Server is to uninstall the PGP Desktop software, delete the above mentioned preference files (pgpprefs.xml and PGPadmin.xml) and create a new configured installation without the Embed policy option. To obtain a completely fresh installation, simply delete the PGP Corporation folders located in Application Data (AppData for Windows Vista).
If the intention was to use a configured policy with the Embed option and the PGP Whole Disk client is unable to contact the PGP Universal Server, most likely a valid hostname for the PGP Universal server was used. This should be changed to an invalid hostname so the PGP Whole Disk client does not attempt to contact the PGP Universal Server. Also, a Mail Server Binding may have been entered. In both cases, a new PGP Desktop configured install should be created with the Embed option.
Note: Symantec Encryption Management Server 3.2 had an issue where the Embed Policy option prevents encrypting a machine. For more information on this issue and how to resolve, see article TECH192250.
For information on how to convert an Embed Policy client into the standard managed client which communicates with Symantec Encryption Management Server without the need of uninstalling the software, see article TECH149637.